jwt 2.3.0 → 2.7.0

data/lib/jwt/algos/hmac_rbnacl_fixed.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module JWT
+  module Algos
+    module HmacRbNaClFixed
+      module_function
+
+      MAPPING = {
+        'HS256' => ::RbNaCl::HMAC::SHA256,
+        'HS512256' => ::RbNaCl::HMAC::SHA512256,
+        'HS384' => nil,
+        'HS512' => ::RbNaCl::HMAC::SHA512
+      }.freeze
+
+      SUPPORTED = MAPPING.keys
+
+      def sign(algorithm, msg, key)
+        key ||= ''
+
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+          hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
+        else
+          Hmac.sign(algorithm, msg, key)
+        end
+      end
+
+      def verify(algorithm, key, signing_input, signature)
+        key ||= ''
+
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+          hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
+        else
+          Hmac.verify(algorithm, key, signing_input, signature)
+        end
+      rescue ::RbNaCl::BadAuthenticatorError
+        false
+      end
+
+      def resolve_algorithm(algorithm)
+        MAPPING.fetch(algorithm)
+      end
+
+      def padded_key_bytes(key, bytesize)
+        key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
+      end
+    end
+  end
+end

data/lib/jwt/algos/none.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module None
@@ -5,7 +7,9 @@ module JWT
 
       SUPPORTED = %w[none].freeze
 
-      def sign(*); end
+      def sign(*)
+        ''
+      end
 
       def verify(*)
         true

data/lib/jwt/algos/ps.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module Ps
@@ -7,11 +9,9 @@ module JWT
 
       SUPPORTED = %w[PS256 PS384 PS512].freeze
 
-      def sign(to_sign)
+      def sign(algorithm, msg, key)
         require_openssl!
 
-        algorithm, msg, key = to_sign.values
-
         key_class = key.class
 
         raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
@@ -21,17 +21,15 @@ module JWT
         key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
       end
 
-      def verify(to_verify)
+      def verify(algorithm, public_key, signing_input, signature)
         require_openssl!
 
-        SecurityUtils.verify_ps(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
+        SecurityUtils.verify_ps(algorithm, public_key, signing_input, signature)
       end
 
       def require_openssl!
         if Object.const_defined?('OpenSSL')
-          major, minor = OpenSSL::VERSION.split('.').first(2)
-
-          unless major.to_i >= 2 && minor.to_i >= 1
+          if ::Gem::Version.new(OpenSSL::VERSION) < ::Gem::Version.new('2.1')
             raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
           end
         else

data/lib/jwt/algos/rsa.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module Rsa
@@ -5,14 +7,14 @@ module JWT
 
       SUPPORTED = %w[RS256 RS384 RS512].freeze
 
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.class == String
+      def sign(algorithm, msg, key)
+        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.instance_of?(String)
+
         key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
       end
 
-      def verify(to_verify)
-        SecurityUtils.verify_rsa(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
+      def verify(algorithm, public_key, signing_input, signature)
+        SecurityUtils.verify_rsa(algorithm, public_key, signing_input, signature)
       end
     end
   end

data/lib/jwt/algos/unsupported.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module Unsupported

data/lib/jwt/algos.rb

@@ -1,5 +1,13 @@
 # frozen_string_literal: true
 
+begin
+  require 'rbnacl'
+rescue LoadError
+  raise if defined?(RbNaCl)
+end
+require 'openssl'
+
+require 'jwt/security_utils'
 require 'jwt/algos/hmac'
 require 'jwt/algos/eddsa'
 require 'jwt/algos/ecdsa'
@@ -7,35 +15,50 @@ require 'jwt/algos/rsa'
 require 'jwt/algos/ps'
 require 'jwt/algos/none'
 require 'jwt/algos/unsupported'
+require 'jwt/algos/algo_wrapper'
 
-# JWT::Signature module
 module JWT
-  # Signature logic for JWT
   module Algos
     extend self
 
-    ALGOS = [
-      Algos::Hmac,
-      Algos::Ecdsa,
-      Algos::Rsa,
-      Algos::Eddsa,
-      Algos::Ps,
-      Algos::None,
-      Algos::Unsupported
-    ].freeze
+    ALGOS = [Algos::Ecdsa,
+             Algos::Rsa,
+             Algos::Eddsa,
+             Algos::Ps,
+             Algos::None,
+             Algos::Unsupported].tap do |l|
+      if ::JWT.rbnacl_6_or_greater?
+        require_relative 'algos/hmac_rbnacl'
+        l.unshift(Algos::HmacRbNaCl)
+      elsif ::JWT.rbnacl?
+        require_relative 'algos/hmac_rbnacl_fixed'
+        l.unshift(Algos::HmacRbNaClFixed)
+      else
+        l.unshift(Algos::Hmac)
+      end
+    end.freeze
 
     def find(algorithm)
       indexed[algorithm && algorithm.downcase]
     end
 
+    def create(algorithm)
+      Algos::AlgoWrapper.new(*find(algorithm))
+    end
+
+    def implementation?(algorithm)
+      (algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
+        (algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
+    end
+
     private
 
     def indexed
       @indexed ||= begin
-        fallback = [Algos::Unsupported, nil]
-        ALGOS.each_with_object(Hash.new(fallback)) do |alg, hash|
-          alg.const_get(:SUPPORTED).each do |code|
-            hash[code.downcase] = [alg, code]
+        fallback = [nil, Algos::Unsupported]
+        ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
+          cls.const_get(:SUPPORTED).each do |alg|
+            hash[alg.downcase] = [alg, cls]
           end
         end
       end

data/lib/jwt/claims_validator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative './error'
 
 module JWT
@@ -9,7 +11,7 @@ module JWT
     ].freeze
 
     def initialize(payload)
-      @payload = payload.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
+      @payload = payload.transform_keys(&:to_sym)
     end
 
     def validate!

data/lib/jwt/configuration/container.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative 'decode_configuration'
+require_relative 'jwk_configuration'
+
+module JWT
+  module Configuration
+    class Container
+      attr_accessor :decode, :jwk
+
+      def initialize
+        reset!
+      end
+
+      def reset!
+        @decode = DecodeConfiguration.new
+        @jwk    = JwkConfiguration.new
+      end
+    end
+  end
+end

data/lib/jwt/configuration/decode_configuration.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module JWT
+  module Configuration
+    class DecodeConfiguration
+      attr_accessor :verify_expiration,
+                    :verify_not_before,
+                    :verify_iss,
+                    :verify_iat,
+                    :verify_jti,
+                    :verify_aud,
+                    :verify_sub,
+                    :leeway,
+                    :algorithms,
+                    :required_claims
+
+      def initialize
+        @verify_expiration = true
+        @verify_not_before = true
+        @verify_iss = false
+        @verify_iat = false
+        @verify_jti = false
+        @verify_aud = false
+        @verify_sub = false
+        @leeway = 0
+        @algorithms = ['HS256']
+        @required_claims = []
+      end
+
+      def to_h
+        {
+          verify_expiration: verify_expiration,
+          verify_not_before: verify_not_before,
+          verify_iss: verify_iss,
+          verify_iat: verify_iat,
+          verify_jti: verify_jti,
+          verify_aud: verify_aud,
+          verify_sub: verify_sub,
+          leeway: leeway,
+          algorithms: algorithms,
+          required_claims: required_claims
+        }
+      end
+    end
+  end
+end

data/lib/jwt/configuration/jwk_configuration.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative '../jwk/kid_as_key_digest'
+require_relative '../jwk/thumbprint'
+
+module JWT
+  module Configuration
+    class JwkConfiguration
+      def initialize
+        self.kid_generator_type = :key_digest
+      end
+
+      def kid_generator_type=(value)
+        self.kid_generator = case value
+                             when :key_digest
+                               JWT::JWK::KidAsKeyDigest
+                             when :rfc7638_thumbprint
+                               JWT::JWK::Thumbprint
+                             else
+                               raise ArgumentError, "#{value} is not a valid kid generator type."
+        end
+      end
+
+      attr_accessor :kid_generator
+    end
+  end
+end

data/lib/jwt/configuration.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require_relative 'configuration/container'
+
+module JWT
+  module Configuration
+    def configure
+      yield(configuration)
+    end
+
+    def configuration
+      @configuration ||= ::JWT::Configuration::Container.new
+    end
+  end
+end

data/lib/jwt/decode.rb

@@ -2,14 +2,16 @@
 
 require 'json'
 
-require 'jwt/signature'
 require 'jwt/verify'
+require 'jwt/x5c_key_finder'
+
 # JWT::Decode module
 module JWT
   # Decoding logic for JWT
   class Decode
     def initialize(jwt, key, verify, options, &keyfinder)
       raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
+
       @jwt = jwt
       @key = key
       @options = options
@@ -22,51 +24,98 @@ module JWT
     def decode_segments
       validate_segment_count!
       if @verify
-        decode_crypto
+        decode_signature
+        verify_algo
+        set_key
         verify_signature
         verify_claims
       end
       raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
+
       [payload, header]
     end
 
     private
 
     def verify_signature
+      return unless @key || @verify
+
+      return if none_algorithm?
+
+      raise JWT::DecodeError, 'No verification key available' unless @key
+
+      return if Array(@key).any? { |key| verify_signature_for?(key) }
+
+      raise(JWT::VerificationError, 'Signature verification failed')
+    end
+
+    def verify_algo
       raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
-      raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless header['alg']
-      raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
+      raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless alg_in_header
+      raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') if allowed_and_valid_algorithms.empty?
+    end
 
+    def set_key
       @key = find_key(&@keyfinder) if @keyfinder
-      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
+      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).key_for(header['kid']) if @options[:jwks]
+      if (x5c_options = @options[:x5c])
+        @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(header['x5c'])
+      end
+    end
+
+    def verify_signature_for?(key)
+      allowed_and_valid_algorithms.any? do |alg|
+        alg.verify(data: signing_input, signature: @signature, verification_key: key)
+      end
+    end
 
-      Signature.verify(header['alg'], @key, signing_input, @signature)
+    def allowed_and_valid_algorithms
+      @allowed_and_valid_algorithms ||= allowed_algorithms.select { |alg| alg.valid_alg?(alg_in_header) }
     end
 
-    def options_includes_algo_in_header?
-      allowed_algorithms.any? { |alg| alg.casecmp(header['alg']).zero? }
+    # Order is very important - first check for string keys, next for symbols
+    ALGORITHM_KEYS = ['algorithm',
+                      :algorithm,
+                      'algorithms',
+                      :algorithms].freeze
+
+    def given_algorithms
+      ALGORITHM_KEYS.each do |alg_key|
+        alg = @options[alg_key]
+        return Array(alg) if alg
+      end
+      []
     end
 
     def allowed_algorithms
-      # Order is very important - first check for string keys, next for symbols
-      algos = if @options.key?('algorithm')
-        @options['algorithm']
-      elsif @options.key?(:algorithm)
-        @options[:algorithm]
-      elsif @options.key?('algorithms')
-        @options['algorithms']
-      elsif @options.key?(:algorithms)
-        @options[:algorithms]
-      else
-        []
+      @allowed_algorithms ||= resolve_allowed_algorithms
+    end
+
+    def resolve_allowed_algorithms
+      algs = given_algorithms.map do |alg|
+        if Algos.implementation?(alg)
+          alg
+        else
+          Algos.create(alg)
+        end
       end
-      Array(algos)
+
+      sort_by_alg_header(algs)
+    end
+
+    # Move algorithms matching the JWT alg header to the beginning of the list
+    def sort_by_alg_header(algs)
+      return algs if algs.size <= 1
+
+      algs.partition { |alg| alg.valid_alg?(alg_in_header) }.flatten
     end
 
     def find_key(&keyfinder)
       key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header))
-      raise JWT::DecodeError, 'No verification key available' unless key
-      key
+      # key can be of type [string, nil, OpenSSL::PKey, Array]
+      return key if key && !Array(key).empty?
+
+      raise JWT::DecodeError, 'No verification key available'
     end
 
     def verify_claims
@@ -77,7 +126,7 @@ module JWT
     def validate_segment_count!
       return if segment_length == 3
       return if !@verify && segment_length == 2 # If no verifying required, the signature is not needed
-      return if segment_length == 2 && header['alg'] == 'none'
+      return if segment_length == 2 && none_algorithm?
 
       raise(JWT::DecodeError, 'Not enough or too many segments')
     end
@@ -86,8 +135,16 @@ module JWT
       @segments.count
     end
 
-    def decode_crypto
-      @signature = JWT::Base64.url_decode(@segments[2] || '')
+    def none_algorithm?
+      alg_in_header == 'none'
+    end
+
+    def decode_signature
+      @signature = ::JWT::Base64.url_decode(@segments[2] || '')
+    end
+
+    def alg_in_header
+      header['alg']
     end
 
     def header
@@ -103,7 +160,7 @@ module JWT
     end
 
     def parse_and_decode(segment)
-      JWT::JSON.parse(JWT::Base64.url_decode(segment))
+      JWT::JSON.parse(::JWT::Base64.url_decode(segment))
     rescue ::JSON::ParserError
       raise JWT::DecodeError, 'Invalid segment encoding'
     end

data/lib/jwt/encode.rb

@@ -1,28 +1,35 @@
 # frozen_string_literal: true
 
-require_relative './algos'
-require_relative './claims_validator'
+require_relative 'algos'
+require_relative 'claims_validator'
 
 # JWT::Encode module
 module JWT
   # Encoding logic for JWT
   class Encode
-    ALG_NONE = 'none'.freeze
-    ALG_KEY  = 'alg'.freeze
+    ALG_KEY = 'alg'
 
     def initialize(options)
-      @payload = options[:payload]
-      @key = options[:key]
-      _, @algorithm = Algos.find(options[:algorithm])
-      @headers = options[:headers].each_with_object({}) { |(key, value), headers| headers[key.to_s] = value }
+      @payload          = options[:payload]
+      @key              = options[:key]
+      @algorithm        = resolve_algorithm(options[:algorithm])
+      @headers          = options[:headers].transform_keys(&:to_s)
+      @headers[ALG_KEY] = @algorithm.alg
     end
 
     def segments
-      @segments ||= combine(encoded_header_and_payload, encoded_signature)
+      validate_claims!
+      combine(encoded_header_and_payload, encoded_signature)
     end
 
     private
 
+    def resolve_algorithm(algorithm)
+      return algorithm if Algos.implementation?(algorithm)
+
+      Algos.create(algorithm)
+    end
+
     def encoded_header
       @encoded_header ||= encode_header
     end
@@ -40,26 +47,29 @@ module JWT
     end
 
     def encode_header
-      @headers[ALG_KEY] = @algorithm
-      encode(@headers)
+      encode_data(@headers)
     end
 
     def encode_payload
-      if @payload && @payload.is_a?(Hash)
-        ClaimsValidator.new(@payload).validate!
-      end
+      encode_data(@payload)
+    end
 
-      encode(@payload)
+    def signature
+      @algorithm.sign(data: encoded_header_and_payload, signing_key: @key)
     end
 
-    def encode_signature
-      return '' if @algorithm == ALG_NONE
+    def validate_claims!
+      return unless @payload.is_a?(Hash)
+
+      ClaimsValidator.new(@payload).validate!
+    end
 
-      JWT::Base64.url_encode(JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key))
+    def encode_signature
+      ::JWT::Base64.url_encode(signature)
     end
 
-    def encode(data)
-      JWT::Base64.url_encode(JWT::JSON.generate(data))
+    def encode_data(data)
+      ::JWT::Base64.url_encode(JWT::JSON.generate(data))
     end
 
     def combine(*parts)

data/lib/jwt/error.rb

@@ -10,6 +10,7 @@ module JWT
   class IncorrectAlgorithm < DecodeError; end
   class ImmatureSignature < DecodeError; end
   class InvalidIssuerError < DecodeError; end
+  class UnsupportedEcdsaCurve < IncorrectAlgorithm; end
   class InvalidIatError < DecodeError; end
   class InvalidAudError < DecodeError; end
   class InvalidSubError < DecodeError; end